You are getting ready to send funds to an exchange from your hardware wallet. You copy the public address from the exchange and into the wallet software. After triple-checking the address, you are confident you are not a victim of clipboard hijacking and have copied it correctly. Holding your breath, you click to approve the transaction. Now you've sent your funds to the chain and there is no turning back. Waiting in suspense, you check the transaction on the chain explorer, and you can see that it has one confirmation. Then two, then three. It finally settles, you exhale, and go on about your business.

Those of use who have been a part of the space for a while are very familiar with this sense of unrest. Whether you're a newb or a maxi from the early days, we've all been there. And most of us started by always sending a small test transaction first. The truth is that confidence in making these transactions grows only through proper vigilance, but for some, it was unfortunately learned by making costly mistakes. After all, a core property of blockchain is finality - sending to the wrong chain or address is effectively irreversible.

In part, what makes blockchain transactions irreversible is that there is no centralized party to appeal to. There is no singular body to trust. The network must reach final agreement via cryptographic consensus, making a blockchain a trustless financial system of record.

On the contrary: self custody (the practice which allows us to "be our own bank") is not necessarily trustless. It does, however, reduce exposure to financial intermediaries, so it empowers us with more financial sovereignty. And in an era where central banks consistently prove greedy, taking self custody of funds is an alluring prospect for new buyers. But it can also be daunting. Indeed, hardware wallets were designed to solve many of the associated fears of self custody. By abstracting away private key custodianship, hardware wallet manufacturers have created new trust relationships.

Because of this, anyone who plans to self-custody "crypto" should have at least a primitive understanding of public key cryptography, which is used to ensure blockchain transactions are authorized. Even though the word crypto often carries a negative connotation in the community, the term should not be considered taboo. Cryptographic consensus is the very foundation of our trust in valid transactions and blocks because it allows all nodes to synchronize sets of transactions independently.

Cryptography indeed enables secure monetary systems, networks, and data transactions. It is used to verify private keys without directly accessing them; it also verifies the owner of the wallet using signature algorithms. Still, vectors of trust and risk do permeate self-custody practices in the crypto space, which introduces this paradox of self custody and trust.

In Crypto We Trust

Those who willfully enter the crypto space are indeed trusting many things including cryptography, consensus mechanisms, and game theory equilibria. While it isn't ignorant to trust in cryptographic protocols, implementations of crypto wallets have always carried known risks.

In How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys (PDF), researchers show how a wallet sending transactions could fall victim to malicious implementations. Elliptic Curve Cryptography, for example, is what is used to generate public-private key pairs and digital signatures, and early implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA) had known vulnerabilities. In this research example, the point along the secp256k1 elliptic curve is chosen by the wallet software instead of the algorithm's libraries. Under this configuration, the randomness with which that point is selected is external to the ECDSA algorithm.

Nefarious code can then choose a point along the secp256k1 elliptic curve that is non-random or predictable, allowing for the effective forgery of digital signatures. Later implementations adhering to RFC-6979 helped mitigate this by selecting random numbers deterministically. This mechanism - internal to the algorithm's libraries - ensured that the nonce (i.e., number used only once) is not reused across multiple digital signatures.

The point is that most in the space implicitly trust cryptography. In doing so, we may blindly assume blockchain security models are robust enough. One such blind spot is the expectation that blockchain consensus is quantum resistant, which is an arguably negligible threat. Perhaps more critically, we must acknowledge our trust in consensus game theory principles. Hashpower must be decentralized enough to protect against coercion, collusion, and censorship. Ultimately, the longest chain needs to win to achieve immutability and to maintain trust in the consensus.

This much should be clear, but things can get fuzzy on the question of trust when talking about wallet transactions. Bottom line, funds would never be sent anywhere on the blockchain without some piece of code being executed on a device. When the wallet holds the private keys, self custody is then a bit of a misnomer. And perhaps the entire community is doing itself a disservice by not making one important distinction:

Self custody is not necessarily self hosting. The storage device or software can be the key custodian, even when the owner is its sole operator. Self custody then does not equate to trustlessness; it is just a form of financial choice and control. Any notion that trustlessness can be achieved in some pure, unadulterated sense must be a logical fallacy.

And so we also trust in wallet manufacturers, third-party chip certifiers, sellers, shippers, code auditors, and - biggest of all - firmware developers. Maybe you do have a truly airgapped, offline solution. Or maybe you have a paper wallet, but even then you are trusting in seed generation methods (i.e., entropy). Above all else, you are trusting yourself and your own environment. But as members of the crypto community, what we can focus on is what we can control.

In Why We Need Wide Adoption of Social Recovery Wallets, Vitalik Buterin writes:

This power of choice cannot be overstated. Choosing to self-custody is empowering, and with hardware wallets, it may feel safer and more secure. Indeed, private keys are isolated, and as the sole operator, you can maintain control. Risk management is therefore vital, but the question of acceptable risk is a highly subjective one. It is largely determined by a user's knowledge of options, their technical skill, operational security, and overall risk tolerance. While the problems of malicious software may never fully be solved, hardware wallets can significantly reduce the risks of such key exposure or loss of funds. To restate the obvious, however, fears about private key leakage or disclosure are still valid.

Holding this frame, users' perceptions of hardware wallet security were recently shaken by announcements of key recovery features. And by extension, so was trust in many types of self custody. Given this shift in user psychology, an opportunity is presented to take back our choice of control. Future adoption of Bitcoin and other digital assets will rely upon these security perceptions. An improved user experience for those who wish to self-custody their funds. To combat new risk vectors, what users can do is to choose their own cryptographic circles of trust.

The Circle of Trust

Secret Sharing and Social Recovery

Most in the community are familiar with ever-growing estimates that ~4 million BTC are assumed lost forever, a number roughly equal to 20% of the final Bitcoin supply. Others may have heard the stories of Bitcoin being lost on the legendary "boating accidents". While the latter is mostly anecdotal, the former statistics do highlight the need for improved self-custody methods especially to protect novice users from loss. While private key recovery is controversial (and with good reason), it is because of lost funds that social recovery features may be both desirable and in demand. Regardless of any user preferences, there is some historical precedent here.

Secret sharing was first introduced by Adi Shamir in 1979 as part of his paper How to Share a Secret (PDF). The idea behind it was simple yet powerful - divide something (like a private key) into multiple parts so that only specified combinations could unlock it. Still today, this method provides enhanced security against unauthorized access, but it poses challenges when users lose portions of their keys. Because losing private keys means losing access to assets permanently, social recovery is a natural evolution of secret sharing. In social recovery systems, a group of trusted guardians are chosen to hold an encrypted share of the seed.

When needed, these contacts can come together and decrypt the respective portions to reconstruct or recover the original seed. Verifiable Secret Sharing (VSS), an extension of Shamir's initial concept, plays an important role in enhancing trust within such social recovery systems. VSS allows any participant in the scheme to verify whether their share is correct without revealing it. Ensuring integrity while maintaining confidentiality, VSS checks that guardians hold valid shares before they attempt to reconstruct the original key. Without these verification measures, malicious actors can potentially provide incorrect shares and compromise the entire process. Social recovery is then akin to multi-sig schemes, where wallet owners can require M of N key shard custodians to process a transaction.

Both social recovery and multi-sig schemes require a high level of trust that one's guardians or custodians will cooperate when needed. Assuming you can rely on enough of your custodians, such methods have no single point of failure, or put another way, no single point of vulnerability. Such methods can distribute risk; they can also displace or redistribute trust. Multi-sig then ensures that no single person can access funds without agreement from multiple parties. With social recovery, key reconstructions are also only possible with a trusted circle of one's choosing.

Hardware wallet manufacturers have responded with similar recovery features. Ledger, for example, launched a recovery feature in which they effectively choose your custodians for you. These custodians holding private key fragments could be viewed as "key escrow firms". Under this configuration, users do give up some degree of control. Whatever option users choose, proper self custody or hosting takes technical prowess and vigilance.

Ultimately, users need to assess the risk and trust vectors to make the right choice for their needs. Some may actually want self-custody options that protect them against user error, where others will want to internalize as much risk as they can by self-hosting. At the end of the day, the Bitcoin blockchain is an open-source, peer-to-peer monetary network. Transparency is therefore the key to trust. This is why many people self-host, and why calls for open-sourced firmware for all hardware wallet manufacturers are both valid and critical for adoption.

Bigger picture, what self custody is really about is true ownership of assets. It speaks to an understated wisdom that centralized banking systems have inherent flaws as financial custodians. Power centers introduce greed, and greed begets power. The ability to self custody does not solve this, nor is trustlessness alone a solution. With self custody, though, we can regain some financial sovereignty. We can put our trust in systems we choose and control. And that is what this financial revolution is about. ✌🏼

You can check out an overview of Self Custody in the Chain Concepts wiki, along with:

- information on wallet attack vectors,

- atomic explanations of wallet types,

- and some examples of software and web wallets.

Subscribe or share now for early access to my next article under the working title You Cannot Decentralize Greed. Don't forget to revisit the wiki for upcoming updates. 🤙🏼